[Snort-sigs] OpenSSH // SSH detection rules?

Tony Hernandez tonyh at ...1915...
Mon Dec 8 05:39:01 EST 2003

Hey guys, I have recently had an interest for policy reasons here to detect incoming SSH connections to any of my subnets. Since, the port may not be the default port (22) and it seems that I can't really tell which side the "OpenSSH-" banner is coming from is there another way to detect ssh sessions at the packet level? By any packet pattern challenge/response etc? 

Is anyone using a rule like this and or a rule that can detect something like this with little FP's ? any examples for this would be greatly appreciated as always.

Tony Hernandez
University of Florida

More information about the Snort-sigs mailing list